Open Ldap Tinkerings

This is mostly my home play stuff

Adding Solaris 10 client to ldap proxy

domainname sus.local 

domainname > /etc/defaultdomain

ldapclient init -v -a proxyDN=cn=proxyagent,ou=profile,dc=sus,dc=local -a proxyPassword=proxy_password  -a domainName=sus.local -a profileName=default jorik.sus.local


Debug Ldap on solaris with ldaplist

ldaplist

dn: ou=profile,dc=sus,dc=local

dn: ou=People,dc=sus,dc=local

dn: ou=policies,dc=sus,dc=local

dn: nisMapName=auto_master,dc=sus,dc=local

dn: nisMapName=auto_home,dc=sus,dc=local

 ldaplist -h

database       default type        objectclass
=============  =================   =============
auto_*         automountKey        automount
automount      automountMapName    automountMap
publickey      uidnumber           niskeyobject
publickey      cn                  niskeyobject
bootparams     cn                  bootableDevice
ethers         cn                  ieee802Device
group          cn                  posixgroup
hosts          cn                  iphost
ipnodes        cn                  iphost
netgroup       cn                  nisnetgroup
netmasks       ipnetworknumber     ipnetwork
networks       ipnetworknumber     ipnetwork
passwd         uid                 posixaccount
protocols      cn                  ipprotocol
rpc            cn                  oncrpc
services       cn                  ipservice
aliases        cn                  mailGroup
project        SolarisProjectID    SolarisProject
printers       printer-uri         sunPrinter
auth_attr      cn                  SolarisAuthAttr
prof_attr      cn                  SolarisProfAttr
exec_attr      cn                  SolarisExecAttr

user_attr      uid                 SolarisUserAttr

audit_user     uid                 SolarisAuditUser

listusers

anya            el bizda
caroline        el diablo
nathaniel       2nd Boss!
noaccess        No Access User
nobody          NFS Anonymous Access User
nobody4         SunOS 4.x NFS Anonymous Access User
poshpaws        Da Boss!
sirbob          Test User
tove            der toad



Solaris 10 Native ldapclient pam.conf

# pam.conf.ldapv2_native_client
#
# http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
#
# IMPORTANT NOTES from Gary Tay
#
# 1) This is a /etc/pam.conf with password management support that works for:
#
# Solaris10 Native LDAP Client
# Solaris9 Native LDAP Client provided that:
# – latest kernel patch and Patch 112960 are applied
# – all the pam_unix_cred.so.1 lines are commented out
# Solaris8 Native LDAP Client provided that:
# – latest kernel patch and Patch 108993 are applied
# – all the pam_unix_cred.so.1 lines are commented out
#
# 2) If modules for “sshd” or any are not defined, default is “other”
# as seen by output of “grep other /etc/pam.conf”
#
# Notes from Mark Janssen
#
# 3) SSH Pubkey authentication needs it’s own pam rules on sshd-pubkey
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#other session required pam_mkhomedir.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 debug server_policy

# Custom Stuff
# Allow ssh-pubkey (SUN-SSH) logins to work
sshd-pubkey account required pam_unix_account.so.1


openldap and Solaris automounts

Solaris uses different objectnames for automount maps

-bash-3.2$ ldaplist -h
database       default type        objectclass
=============  =================   =============
auto_*         automountKey        automount
automount      automountMapName    automountMap
publickey      uidnumber           niskeyobject
publickey      cn                  niskeyobject


for linux and others we use nisMapName rather than automountmap ... so in our profile we set up a objectclassmap and attributeMaps :

"default" profile

dn: cn=default,ou=profile,dc=sus,dc=local
objectClass: DUAConfigProfile
attributeMap: automount:automountMapName=nisMapName
attributeMap: automount:automountInformation=nisMapEntry
attributeMap: automount:automountKey=cn
authenticationMethod: simple
cn: default
credentialLevel: proxy
defaultSearchBase: dc=sus,dc=local
defaultSearchScope: one
defaultServerList: jorik.sus.local
followReferrals: TRUE
objectclassMap: automount:automountMap=nisMap
objectclassMap: automount:automount=nisObject
profileTTL: 43200
searchTimeLimit: 30

auto_home map

dn: nisMapName=auto_home,dc=sus,dc=local
objectClass: top
objectClass: nisMap
nisMapName: auto_home

dn: cn=poshpaws,nisMapName=auto_home,dc=sus,dc=local
objectClass: nisObject
cn: poshpaws
nisMapEntry: tombliboo:/store/shares/home/poshpaws
nisMapName: auto_home

dn: cn=sirbob,nisMapName=auto_home,dc=sus,dc=local
objectClass: nisObject
cn: sirbob
nisMapEntry: tombliboo:/store/shares/home/sirbob
nisMapName: auto_home
 

auto_master map

dn: nisMapName=auto_master,dc=sus,dc=local
objectClass: top
objectClass: nisMap
nisMapName: auto_master


slapd.conf on ldap master - no replication ....yet

root@jorik:~# cat /etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration etcions.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/solaris.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/sudo.schema

TLSCACertificateFile /etc/openldap/etc/cacert.pem
TLSCertificateFile /etc/openldap/etc/servercrt.pem
TLSCertificateKeyFile /etc/openldap/etc/serverkey.pem



# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath    %MODULEDIR%
# moduleload    back_bdb.la
# moduleload    back_hdb.la
# moduleload    back_ldap.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

access to dn.subtree="ou=People,dc=sus,dc=local"
        attrs=userPassword
        by dn="cn=proxyagent,ou=profile,dc=sus,dc=local" write
        by self write
        by anonymous auth
        by * read


access to *
        by * read

#######################################################################
# BDB database definitions
#######################################################################
database        bdb
suffix          "dc=sus,dc=local"
rootdn          "cn=Manager,dc=sus,dc=local"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw -- REDACTED -- 
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/openldap
# Indices to maintain
index   objectClass     eq

#REPLICATION#

#Monitor DB#
database monitor
rootdn "cn=monitoring,cn=Monitor"
rootpw monitoring


### hash out the TLS section to use as is or set up your cetificates

###

ldap.conf


BASE    dc=sus,dc=local
URI     ldap://jorik.sus.local ldap://jorik.sus.local:666
TLS_CACERT /etc/openldap/etc/cacert.pem
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
OPEN_LDAP_SLAPD_PARAMS="-d -1"


Slapcat output for Primary server

use at your own risk!!!!!

dn: dc=sus,dc=local
associatedDomain: sus.local
dc: sus
objectClass: top
objectClass: dcObject
objectClass: domain
objectClass: domainRelatedObject
objectClass: nisDomainObject
nisDomain: sus.local
structuralObjectClass: domain
entryUUID: 8e0ded54-302d-102e-8bad-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190821Z
entryCSN: 20090907190821.862902Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090907190821Z

dn: ou=profile,dc=sus,dc=local
ou: profile
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 8e169224-302d-102e-8bae-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190821Z
entryCSN: 20090907190821.919555Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090907190821Z

dn: ou=People,dc=sus,dc=local
ou: People
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 8e1c0ca4-302d-102e-8bb2-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190821Z
entryCSN: 20090907190821.955459Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090907190821Z

dn: cn=proxyagent,ou=profile,dc=sus,dc=local
userPassword:: redacted
objectClass: top
objectClass: person
sn: proxyagent
cn: proxyagent
structuralObjectClass: person
entryUUID: 8e1d5e92-302d-102e-8bb3-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190821Z
entryCSN: 20090907190821.964110Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090907190821Z

dn: cn=default,ou=profile,dc=sus,dc=local
defaultSearchBase: dc=sus,dc=local
authenticationMethod: simple
followReferrals: TRUE
profileTTL: 43200
searchTimeLimit: 30
objectClass: DUAConfigProfile
defaultServerList: jorik.sus.local
credentialLevel: proxy
cn: default
defaultSearchScope: one
structuralObjectClass: DUAConfigProfile
entryUUID: 8e1ec020-302d-102e-8bb4-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190821Z
objectclassMap: automount:automountMap=nisMap
objectclassMap: automount:automount=nisObject
attributeMap: automount:automountMapName=nisMapName
attributeMap: automount:automountInformation=nisMapEntry
attributeMap: automount:automountKey=cn
entryCSN: 20090916184551.207022Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090916184551Z

dn: cn=tls_profile,ou=profile,dc=sus,dc=local
defaultSearchBase: dc=sus,dc=local
authenticationMethod: tls:simple
followReferrals: FALSE
bindTimeLimit: 10
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: jorik.sus.local
credentialLevel: proxy
cn: tls_profile
serviceSearchDescriptor: passwd: ou=People,dc=sus,dc=local
serviceSearchDescriptor: group: ou=Group,dc=sus,dc=local
serviceSearchDescriptor: shadow: ou=People,dc=sus,dc=local
serviceSearchDescriptor: netgroup: ou=netgroup,dc=sus,dc=local
serviceSearchDescriptor: sudoers: ou=SUDOers,dc=sus,dc=local
defaultSearchScope: one
structuralObjectClass: DUAConfigProfile
entryUUID: 8e2018c6-302d-102e-8bb5-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190821Z
entryCSN: 20090907190821.981985Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090907190821Z

dn: ou=policies,dc=sus,dc=local
ou: policies
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 8e2165b4-302d-102e-8bb6-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190821Z
entryCSN: 20090907190821.990496Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090907190821Z

dn: uid=sirbob,ou=People,dc=sus,dc=local
shadowMin: 5
sn: User
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 1000
shadowFlag: 0
shadowExpire: -1
shadowMax: 99999
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
gecos: Test User
shadowLastChange: 0
shadowInactive: -1
shadowWarning: 7
structuralObjectClass: organizationalPerson
entryUUID: 8e22738c-302d-102e-8bb7-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190821Z
uid: sirbob
cn: sirbob
userPassword:: REDACTED
homeDirectory: /home/sirbob
entryCSN: 20090916180215.169238Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090916180215Z

dn: uid=poshpaws,ou=People,dc=sus,dc=local
shadowMin: 5
sn: poshpaws
loginShell: /bin/bash
uidNumber: 100
gidNumber: 100
shadowFlag: 0
shadowExpire: -1
shadowMax: 99999
uid: poshpaws
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
shadowLastChange: 0
cn: poshpaws
homeDirectory: /home/poshpaws
shadowInactive: -1
shadowWarning: 7
structuralObjectClass: organizationalPerson
entryUUID: 8e23e55a-302d-102e-8bb8-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190822Z
gecos: Da Boss!
userPassword:: REDACTED=
entryCSN: 20090910135618.382761Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090910135618Z

dn: uid=caroline,ou=People,dc=sus,dc=local
loginShell: /bin/bash
sn: caroline
shadowMin: 5
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 100
uid: caroline
shadowMax: 99999
shadowLastChange: 0
shadowInactive: -1
uidNumber: 101
gecos: el diablo
shadowWarning: 7
shadowExpire: -1
cn: caroline
shadowFlag: 0
userPassword: REDACTED
homeDirectory: /home/caroline
structuralObjectClass: organizationalPerson
entryUUID: d10f4fd2-30b2-102e-8059-810d90ea5dc3
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090908110217Z
entryCSN: 20090908110217.344365Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090908110217Z

dn: uid=anya,ou=People,dc=sus,dc=local
loginShell: /bin/bash
sn: anya
shadowMin: 5
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 100
uid: anya
shadowMax: 99999
shadowLastChange: 0
shadowInactive: -1
uidNumber: 102
gecos: el bizda
shadowWarning: 7
shadowExpire: -1
cn: anya
shadowFlag: 0
userPassword: REDACTED


Very Good reference

http://blog.maniac.nl/setting-up-ldap-with-openldap-server-solaris-10-aix-61-and-linux-clients/